What SMEs should know about GDPR Compliance
In December 2015, the European Parliament, Council and Commission reached an agreement to replace the Data Protection Directive of 1995 with the General Data Protection Regulation. It provides governance for all businesses processing data of EU citizens and supersedes national laws such as the UK DPA 1988.
The GDPR is designed to strengthen data protection laws for all individuals within the EU, ensuring more protection for consumers and increased privacy considerations for businesses. The regulation becomes enforceable on 25th May 2018 and intends to protect EU citizens from privacy and data breaches.
But what does this mean for SMEs in the UK? Here are some of the key facts you should know about making your SMB GDPR compliant.
First things first, what is the GDPR?
The GDPR is a regulation requiring all organisations that collect, store and handle the personal data of European citizens to fully comply with its requirements. It places responsibility on businesses and ensures they are accountable for protecting the data of their customers and employees.
The regulation applies to both manually and digitally collected data. Any data – including that which has been classified – that can be used to identify an individual is covered by the regulation. In part, the regulation has been prompted by the ease of which organisations can collect personal information of customers via their online activities.
What is personal data?
Although there are some similarities between the DPA and GDPR, the new regulation is more detailed and takes account of a much wider range of personal data under its protection. The definition of ‘personal data’ is more expansive than before and considers online identifiers such as an IP address as personal data. This change reflects changes in technology and the way organisations now collect information.
The GDPR considers the following as a wider definition of ‘personal data’:
“An identifiable person is one who can be identified, directly or indirectly (…), in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
Who does the GDPR apply to?
Any company that processes or controls the personal data of EU citizens must adhere to the GDPR. This is regardless of their geographical location. Even if your business is not physically based in Europe, you must be GDPR compliant if you are handling or using the personal data of any European resident.
What if I'm already DPA compliant?
Being DPA compliant will certainly give you a head start over companies who are not. It’s likely you’ll have much of the infrastructure and processes in place which will be required for GDPR compliancy. However, it’s likely that you will still need to make adjustments. Although the GDPR retains much of what is set out in the previous directive, there have been many changes to the principles.
Bearing this in mind, the GDPR should make little difference to the way you store customer information such as contact details or customer lists. As a UK business, it is likely that if the data you hold is held within the scope of the DPA, it will also fall under the scope of the GDPR.
The ICO’s 12 step guide to becoming GDPR compliant is a useful tool in understanding more about preparing for compliancy.
Will Brexit impact the GDPR?
UK businesses will still need to be GDPR compliant after Brexit. All UK businesses must be GDPR compliant by 25th May 2018 as the UK Government has confirmed that it will implement the regulation despite Brexit. Unlike the Data Protection Directive, the GDPR is a regulation which means it is legislatively binding – so businesses must comply. The previous Data Protection Directive was in place to ‘set goals’ so was not binding.
How will I be held accountable?
As mentioned above, the GDPR is legally binding. If you are not compliant by 25th May 2018, you will be held accountable.
The regulation provides more protection for EU consumers and holds businesses accountable for the data handling and processing, with fines of up to € 20 million or 4% of global turnover – whichever is greater.
Ouch! This is the maximum fine that can be imposed for serious infringements such as the violation of privacy laws. The sanctioning of fines will be applied in a two-tiered regime. Other breaches can be fined up to €10m or 2% of global turnover by authoritative bodies.
You should note that these fines are discretionary, as opposed to mandatory. Fines are imposed on a case by case basis and must be “effective, proportionate and dissuasive” – there isn’t a “one-size-fits-all” fine.
So, what can I do to prepare?
Most importantly, you should make sure that decision makers in your organisation are aware and familiar with the changes in data protection laws. Reading this article is a good first step.
To get yourself started, the ICO’s 12-step guide is extremely useful for an overview of compliancy. It should enable you to have a clearer understanding of what is necessary in the steps to becoming GDPR compliant.
In truth, there’s quite a lot that your business can do to prepare for the GDPR. Educating yourself so you know what everything means is a good start. Then from there, building a relationship with an IT may help you in the process and can take the weight and pressure of IT compliancy off your shoulders. Key obligations within the GDPR can be outsourced to an IT provider, including data encryption and backup, data processing and breach notification to name just a few.
For example, with data breaches it is vital that you have the relevant IT hardware and software, governance, processes and strategies in place to safeguard your business from threats, and ensure your sensitive data stays protected on the inside. Firewall services are essential in preventing data breaches and protecting data.
In addition to this, it’s vital to ensure your staff are fully equipped to understand and identify what constitutes as a data breach. Employee error is one of the biggest causes of security threats in SMEs and they can be the weakest link in your security. Training such as ST User Security educates your staff to recognise cyberattacks and helps you to protect your business from attacks.
How can Support Tree help my business and make sure I am GDPR Compliant?
We’ll be holding a GDPR Lunch and Learn networking and learning session on 9th June at the London Film Museum – home of the largest official collection of original James Bond vehicles! Attendees can sign up for a free GDPR-compliancy IT review and consultancy appointment on the day of the event. Here you will learn more specifically about how GDPR impacts IT and will also get a chance to network with industry peers. Not to mention, a great chance to see 007’s vehicles up close.
Personal Data Processes
In order to meet the requirements of the GDPR, you will be required to update, change or replace the way you currently process personal data. We can identify and develop new processes which will enable you to smoothly access and process personal data.
Knowing where threats can affect your business is important, and this is the same for IT. We’ll ensure your IT is resilient to threats by identifying potential risks, risk analysis, mitigation and monitoring.
We will put data protection safeguards in place, meaning all customer data sets are secured and encrypted. Knowing where your data is at all times means that you can easily report on any data when necessary. GDPR outlines that any breaches must be reported within 72 hours.
Data security plays a prominent role in the GDPR, reflecting changes in modern privacy regimes. Stricter guidelines and standards have been imposed to protect the data of individuals so the data held by your business must be suitably protected. We will help you implement the appropriate technical measures to ensure this happens.
Roles and Responsibilities
Knowing who is responsible for your data within your business is key to GDPR success. Under certain parts of the GDPR, you must appoint a Data Protection Officer (DPO). We will help you understand whether or not you need to appoint a DPO and ensure your staff are sufficient knowledge to meet the GDPR obligations.
At Support Tree, we provide the services you need to support your compliancy and regulatory requirements. Our qualified engineers will assess your business’ current data protection and privacy management by conducting an on-site review, allowing us to find where there are areas for improvement. From this, we will provide a detailed compliance report, from which you can identify the key barriers in your systems preventing you from becoming GDPR compliant.
The GDPR Lunch and Learn will be a useful way learn about the GDPR and network with peers and vendors. To sign up, contact us here
We can help you build an IT security policy, data protection plan and educate your employees on how to ensure the security of data.